如何创建自定义权限Djangorest

class IsHRadmin(BasePermission): message = 'You are not allowed' def has_permission(self,request,view): methods = ['GET','POST','PUT','DELETE'] req = request.user user = Role_User.objects.get(user_id_id=req.id) role ="HR_Admin" if str(user.role_id)==role: print("Hello World") if request.method in methods: return True return False class IsEmployee(BasePermission): message = 'You are not allowed' def has_object_permission(self,request,view,obj): methods = ['GET','PUT'] if request.method in methods: if obj.owner == request.user: return True return False

class EmployeeDetail(mixins.RetrieveModelMixin, mixins.UpdateModelMixin, mixins.DestroyModelMixin, generics.GenericAPIView): lookup_field = 'pk' serializer_class = EmployeeSerializer auth1 = IsAuthenticated & IsEmployee auth2 = IsAuthenticated & IsHRadmin permission_classes = [auth1 | auth2 | IsAdminUser] def get_queryset(self): return employee.objects.filter(pk=self.kwargs['pk']) def get(self, request, *args, **kwargs): response = self.retrieve(request, *args, **kwargs) return response def put(self, request, *args, **kwargs): return self.update(request, *args, **kwargs) def delete(self, request, *args, **kwargs): return self.destroy(request, *args, **kwargs)

1条回答

网友

1楼 · 发布于 2024-05-18 23:40:27

问题是IsHRadmin定义了视图级权限检查has_permission，而不是对象级权限检查has_object_permission。现在默认情况下，has_object_permission返回True，因此当其他权限允许用户访问视图时，IsHRadmin允许用户访问对象，即使他不应该访问。因此，您应该在IsHRadmin中定义对象级权限

def has_object_permission(self,request,view, obj):
    return self.has_permission(request, view)

相关问题更多 >

编程相关推荐

热门问题

热门文章